Postings on network security, Silicon Valley, technology, wine, infrastructure, that ubiquitous cloud, SaAS, web 2.0, marketing, management, strategy, Companies that may be mentioned include the usual security suspects. To name a few, in no particular order - Panda, Trend Micro, ESET, Avast, Symantec, BitDefender, Kaspersky, McAfee, Sophos. All of whom market their products as providing much above average security ;) .

Sunday, March 16, 2014

Just When You Thought the Target Breach Story Was Over. A Tale of Advanced Persistent Threats (APT), FireEye, and Warnings Ignored

In the previous chapter of this adventure, Target CIO Beth
Jacob had taken the hit and was going to resign. Target was going to implement new processes
in protecting their network. Prior to this, Target had gone through a number of
phases since the attack began in late November – denial, CEO Gregg Steinhafel
is nowhere to be found, “Houston, we’ve
got a problem”, “Let’s give customers a ‘we’re sorry’” discount”, CEO is found
(finally, some look at a book on crisis management), transparency, free credit watch
software for customers, etc. The Russian
hackers involved in this incident were not even very sophisticated with their
coding.

Techtarget’s definition of Advanced Persistent Threat – “An advanced persistent threat (APT) is a
network attack in which an unauthorized person gains access to a network and
stays there undetected for a long period of time. The intention of an APT attack is to steal
data rather than to cause damage to the network or organization. APT attacks target organizations in sectors
with high-value information, such as national defense, manufacturing, and the
financial industry.”

In the Bloomberg story “Missed Alarms and 40 Million Credit
Card Numbers. How Target Blew It”, the
author writes about how Target HAD Advanced Persistent Threat appliances from
FireEye (an APT company that went public several months ago for a gazillion
dollars (Side note – FEYE’s market cap
was $10 B as of February 14, though their stock has dropped a bit less than 20%
from its high).

The malware had completed most of the phases of the hacker’s
objective. Credit card numbers were being stored on a Target server as they were
swiped on store terminals. All that was left was for the numbers to be transmitted
the cyber criminals for subsequent sale to other cybercriminals. In November and early December, the hackers went
about installing the SW that would send the customer info out to staging points,
(probably a botnet), and then to Russia.
Busted! Well. Sort of. FireEye
appliances sent an alert to Bangalore. They alerted the people in Minnesota and… Minnesota did nothing! Then, the transmittal of ultimately 40 million
records began (a nagging question – was there a DLP (Data Loss Prevention),
installed on the network? It wasn’t
until mid-December when the Department of Justice got involved, that Target
really began investigating.

By the way, the option for the FireEye appliance to automatically delete malware as soon as it was detected
was turned off. What’s even more
ludicrous is that Symantec’s Endpoint Protection software, also identified the malware. $61 million spent by Target so far. Lawsuits,
Abysmal Q4 profit (down almost 50%).

Takeaways from this - If your network does not have them. Look at investing in an APT solution. Look at investing in a DLP solution. Don’t
ignore your security solutions when you get flagged. NSS Labs, Ellen Messmer at
Network World, and Lawrence Pingree at Gartner.
www.nsslabs.com , www.networkworld.com , www.gartner.com have all written about Advanced Persistent
Threat vendors. Type “advanced persistent threat” into a Google search and a
slew of vendors will show up on the RHS.